Through Preliminary References from the Irish Supreme Court to the European Court of Justice
Following from the high-profile 2015 decision of the European Court of Justice (the “CJEU”) in the case of Schrems v The Data Protection Commissioner, the Irish Supreme Court has recently made another data protection-related preliminary reference to the CJEU in Nowak v The Data Protection Commissioner(1).
This was an appeal to the Supreme Court concerning three issues:
- Whether a decision of the Data Protection Commissioner (the “DPC”) that a complaint is frivolous or vexatious can be appealed to the Circuit Court under Section 26 of the Data Protection Acts 1988 and 2003 (the “Acts”);
- If so, what was the standard of appeal to be applied by the Circuit Court; and
- Whether the decision of the DPC that an examination script does not come within the definition of “personal data” under the Acts was justified.
Briefly, in 2009 the Plaintiff failed an accountancy exam set by Chartered Accountants Ireland (“CAI”) and submitted a data access request seeking all “personal data” which CAI held in relation to him. In response to his request, CAI released certain data to the Plaintiff but did not release his exam script. The Plaintiff complained to the DPC, who declined to investigate the complaint on the basis that it was “frivolous or vexatious”.
Proceedings were then instituted by the Plaintiff against the DPC. The Plaintiff argued in particular that the exam was “personal data” as it was a handwritten exam which therefore contained biometric data. He also contended that if an exam result can be personal data, the “raw material” from which the results are derived must also be personal data.
The DPC argued that no appeal lies to the Circuit Court from a determination that a complaint is frivolous or vexatious because that is not a “decision” within the meaning of Section 26 of the Acts. Further, the DPC argued that this was an open book accountancy exam that would not contain any personal information which could possibly identify any exam candidate, and that there was no precedent of any other EU data protection body concluding that an exam script is personal data.
The Supreme Court found that a decision of the DPC that a complaint is frivolous or vexatious was subject to appeal under Section 26 of the Acts, and that the appeal should adopt the Orange Communications Ltd v. The Director of Telecommunications Regulation and Anor (No. 2)(2) standard, ie, whether the decision is wrong in law or vitiated by serious error. However, the Supreme Court considered that the question of whether an exam script can constitute personal data was ultimately a matter of EU law. Accordingly, in light of the complex arguments raised by both parties regarding this point and the lack of legislative guidance, the Supreme Court adjourned the case to refer this question to the CJEU.
The Supreme Court observed in its judgment that both this case and the Schrems case were appeals from a decision of the DPC to not investigate a complaint on the grounds that it was ‘frivolous or vexatious’. In both cases, the Supreme Court considered that complex issues of EU law arose requiring preliminary reference to the CJEU. It will be interesting to see if these decisions will have an impact on the DPC’s future treatment of complaints it considers to be frivolous or vexatious. While these decisions are focused on the powers of the DPC, it will also be interesting to observe how the decisions may impact on how other regulators interpret their equivalent powers.
The referral to the CJEU represents a welcome opportunity for it to consider the boundaries of “personal data”. The CJEU’s decision could have far reaching implications for students, education institutions, professional bodies and privacy bodies across the EU. This decision and the Schrems decision indicate that Ireland is at the cutting edge of developing data protection jurisprudence and presents another example of the Irish Courts driving developments in this area at EU level.